With the passage of the California Consumer Privacy Act of 2018 (AB 375), the United States now has its first truly sweeping privacy regime. On Thursday, June 28, 2018, California Governor Jerry Brown signed into law what is arguably the most expansive privacy legislation in U.S. history. The Act is the product of backroom wrangling between legislators, industry, and the primary sponsor of a ballot initiative by the same name. Proposed just last week as an alternative to the initiative, the bill has now become law, and the initiative is history, having been formally withdrawn.[1]

What we are left with is a privacy law that will impose significant and often first-of-their-kind privacy obligations on businesses handling data related to California residents. Businesses must now sort through the resulting legislative text that has often been mischaracterized as a “compromise” or “legislative fix” to the initiative. The Act is complex and includes drafting errors and ambiguities that are by-products of the speed with which the legislation made its way to the governor’s desk. While the initiative may be history, the government relations work is far from over. Businesses have a year and half before the Act’s January 1, 2020 effective date to work with the California legislature on technical fixes and substantive amendments, as well as with the California Attorney General (AG) on rulewriting that will meaningfully impact the Act’s scope and its interpretation.

Equally important, businesses will need to assess the Act’s many obligations. Despite an effective date a year and half from now, certain obligations will be impactful to how data is handled and will require businesses to put complex processes in place to comply. The Act in some respects carries over, and in other respects goes beyond, the initiative’s “individual rights.” Like the initiative, it requires businesses to disclose the categories of personal information (PI) they collect, sell, and share about consumers and provide consumers with the right to opt-out of the “sale” of their PI. Unlike the initiative, the Act creates additional consumer rights, including the right to deletion of PI and the right to receive a copy of the “specific pieces” of PI.

There are, however, some key limitations on these “individual rights” that were not included in the initiative. Most importantly, the Act narrows the consumer right to sue for violations and limits statutory damages. And unlike the initiative, which would have taken effect soon after the November election if passed, the Act will go into effect on January 1, 2020. As a result, although the Act in many ways is broader than the initiative, its limitations on private rights of action and extended effective date—as well as the fact that it can be amended through the traditional legislative process—arguably make it a preferable vehicle for privacy regulation than the initiative.

As noted above, because the legislation was fast tracked, the Act also includes significant kinks to work out before its effective date. For example, the full extent of the consumer right to sue is not clear. In the short term, clarification of the Act’s requirements—by amendment and/or AG regulation—is essential. Over time, courts undoubtedly will play a critical role and may have the final say in defining the full scope of the Act and the extent of its obligations.

Below, we provide a high-level overview of the Act’s requirements.

Covered Businesses and Personal Information

Covered Businesses

The Act will apply to any entity doing business in California that meets one of the following thresholds: (i) it has annual gross revenues in excess of $25M; (ii) it annually buys, receives for its commercial purposes, sells, or shares for commercial purposes personal information relating to 50K or more consumers, households, or devices; or (iii) it derives 50% or more of its annual revenue from selling consumer personal information.[2]

The Act defines “consumer” broadly to include all California residents.[3] Unlike other privacy laws that may focus on information relating to specific individuals (e.g., customers, children, or patients), the Act will apply with respect to PI relating to any California resident, regardless of a business’s relationship to the individual, including, for example, employees, customers, vendors, and individuals associated with commercial customers who are residents of California.

Covered Personal Information

The Act defines “personal information” broadly to include any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[4] The definition of PI includes, but is not limited to, 11 enumerated categories of information relating to consumers.

The Act retains the initiative’s broad approach defining “personal information” to include categories of PI that are not typically referenced expressly in U.S. privacy laws, including, for example: (i) “commercial information,” including “purchasing or consuming histories or tendencies”; (ii) Internet activity, such as browsing or search history or a consumer’s “interaction” with a website, application, or advertisement; and (iii) “inferences drawn” from any of the enumerated categories of PI .[5] While the Act defines PI in detail, the definition’s reference to information linked to a particular “household” (which could include any child, spouse, or even roommate) creates uncertainty regarding its scope.[6]

Other Important Definitions

As with the initiative, the definitions matter. The Act includes a number of definitions that are critical to defining its scope and the extent of its obligations and limitations. While the number of terms defined is extensive and should be closely reviewed, we highlight three definitions because they are relevant to the various individual privacy rights—the definitions for the terms “collect,” “sale,” and “business purpose.” The Act broadly defines these terms to encompass many ways in which a business may handle PI:

Collecting

The Act defines the term “collect” as “buying, renting, gathering, obtaining, receiving, or accessing any [PI] from the consumer, either actively, or passively, or by observing the consumer’s behavior.” [7] For example, if a business accesses PI (such as photos or contacts) from a consumer device, it has “collected” PI even if such information is not stored or retained by the business.

Selling

The term “sale” is defined as disclosing PI to “another business or third party for monetary or other valuable consideration.” [8] It is unclear how broadly courts will interpret “valuable consideration.” Nonetheless, how the term is interpreted will be critical because the definition of “sale” defines, among other things, the scope of the consumer opt-out right provided in the Act.

Collecting and Disclosing for a Business Purpose

The Act defines a “business purpose” as “the use of [PI] for the business’ or service provider’s operational purposes, or other notified purposes, provided that the use of [PI is] reasonably necessary and proportionate to achieve the operational purpose for which it was collected.”[9] The Act divides “business purposes” into several categories of activities, including, for example detecting security incidents and performing services, such as maintaining or servicing accounts, processing or fulfilling orders and transactions, processing payments, and providing analytic services. Of note, it is not clear if the definition’s reference to the use of PI being “reasonably necessary and proportionate” to the purpose for which it was collected will be interpreted to function as a use limitation.

Individual Privacy Rights

The Act creates at least four “core” individual rights.

Right to Delete PI. First, the Act provides a consumer with the right to request that a business delete any PI that it has collected about the consumer.[10] The business must also direct service providers to delete a consumer’s PI in response to a verified “deletion” request.[11] The Act, however, includes nine exceptions to the obligation to delete. Some of these exceptions are more clear-cut, such as completing a transaction, detecting security incidents, or debugging to repair intended functionalities.[12] Others leave room for interpretation, such as where PI is used “to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,”[13] or where a business “otherwise use[s] the consumer’s [PI] internally in a lawful manner that is compatible with the context in which the consumer provided the information.”[14]

Right to Receive Information About, and Copies of, PI. The Act provides that, if requested by a consumer, a business must disclose the categories of PI that the business, within the year preceding the request, has: (i) collected; (ii) “sold” to a third party;[15] (iii) disclosed for a business purpose; and (iv) the categories of third parties to whom the business sold and/or disclosed PI for a business purpose.[16]

Significantly, unlike the initiative, the Act requires that a business also disclose: (i) the business or commercial purpose for which PI was collected and/or sold; (ii) the categories of sources from which PI was collected; and (iii) the “specific pieces” of PI a business collected about an individual.[17] The latter “portability” requirement greatly expands the scope and potential burden of responding to consumer requests. For example, a business must provide a consumer with this information “in a readily useable format that allows the consumer to transmit [the] information from one entity to another entity without hindrance.”[18]

To facilitate consumer requests for information, the Act requires businesses to make available two or more designated methods to request the information, including at a minimum, a toll-free number and, if the business has a website, a website address.[19] In addition, a business must disclose certain information about the Act online, including, if applicable, in its online privacy policy or in any California-specific description of consumers’ privacy rights.[20] This information, which must be updated at least once a year, includes: (i) a description of rights under the Act; and (ii) a list of categories of PI collected, sold to a third party, or disclosed for business purposes.[21]

Right to Opt Out. In general, the Act gives consumers the right to opt-out of the “sale” of PI.[22] For consumers ages 16 or under, however, the Act requires that businesses obtain affirmative consent to sell PI either from the consumer (if the consumer is between ages 13 and 16), or from the consumer’s parent or guardian (if the consumer is below age 13).[23] Notably, this opt-in requirement goes beyond the requirement under the federal Children’s Online Privacy Protection Act to obtain parental consent in order to collect PI for children under age 13.[24]

To enable consumer opt-out rights, the Act requires a “clear and conspicuous” link on the business’s homepage titled “Do Not Sell My Personal Information,” as well as a link to the business’ privacy policies.[25] If the business has a separate page for California consumers and takes reasonable steps to direct Californians to that page, the business does not have to include the “Do Not Sell” link on its homepage.[26]

Right to Be Free from Discrimination. The Act prohibits businesses from charging different prices or rates to consumers, providing different services, or denying goods or services to consumers who exercise their rights under the Act.[27] There are exceptions to this right, however, where, for example, the difference in prices or services is reasonably related to the value provided by the consumer’s data.[28] The Act also allows businesses to offer financial incentives in connection with the collection, sale, or deletion of PI.[29] Consumers must opt-in to such programs, and a business must include a description of the program on its “Do Not Sell My Personal Information” page.[30]

Exceptions

The Act includes several exceptions, including: (i) where complying with the Act would interfere with compliance with legal processes;[31] (ii) for collections “wholly outside” California;[32] (iii) where compliance would violate an evidentiary privilege, such as the attorney-client privilege; [33] and (iv) for certain information covered by other state and federal privacy laws, although these exceptions often only will apply to the extent the Act “conflict[s]” with the federal privacy law, such as the Gramm-Leach-Bliley Act.[34] The true scope and impact of these exceptions will become clearer as businesses analyze the Act’s requirements on specific processes and procedures and assess the extent to which those requirements impede or restrict business operations.

Enforcement

The Act provides for enforcement both through private rights of action for consumers and through administrative enforcement.

Private Right of Action

One of the most significant (and positive) ways in which the Act modified the initiative is by curtailing consumers’ private right of action. In comparison to the initiative, the Act: (i) limits the scope of when consumers can sue; (ii) decreases the amount of statutory damages available in consumer suits;[35] and (iii) imposes procedural hurdles that must be met before consumers may file suit.[36]

While the Act’s private right of action is narrower than the initiative’s, its scope is still unclear. When first proposed on June 21, 2018, the private right of action was apparently intended to be limited to situations in which consumers’ PI was subject to a “security breach.” But on June 25, the provision was amended to allow suits if consumers’ “nonencrypted or nonredacted [PI], as defined in [the California safeguards law], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” [37] It is not clear how, if at all, these revisions expand the private right of action beyond traditional “security breaches” to encompass violations of the Act’s “individual rights.” For example, the provision could be interpreted to allow consumers to sue if their PI is sold after they opted out under the Act, or if a minor’s PI was sold without express consent.

The Act provides for civil enforcement in several contexts. For example, the Act provides the California AG with exclusive jurisdiction to sue for civil penalties under Bus. & Prof. Code § 17206 if a business fails to cure any alleged violation within 30 days of notice of the violation.[38] The Act also allows suits by the AG for intentional violations, with penalties up to $7,500.[39]

It is unclear, however, whether other law enforcement officials can enforce violations of the Act under Section 17206. What is clear is that the Act, unlike the initiative, does not expressly reference district attorneys and other local-level law enforcement officials in the civil enforcement provisions.

Effective Date and Regulations

The Act goes into effect on January 1, 2020.[40] Unlike the initiative, there is no express grace period for PI collected before or immediately after the Act takes effect.

Critical to the Act’s scope and requirements, the Act requires the AG to adopt implementing regulations on or before January 1, 2020 on certain issues, including, for example, establishing exceptions, rules, and procedures for compliance.[41] The AG can adopt additional regulations as necessary to further the Act’s purposes.[42]

Next Steps and Takeaways

The California Consumer Privacy Act is a first, not only because of its expansive scope, but also because of the process by which it was enacted. Never before has such sweeping privacy legislation been enacted in the span of a single week, with limited input from key stakeholders. While this fast track averted the ballot initiative and the challenges presented by the initiative, it also left a complex—and messy—privacy regime whose exact scope is not clear.

In the short term, businesses undoubtedly will continue their efforts to identify and advocate for amendments to clarify key ambiguities, including the scope of consumers’ private right of action and civil enforcement actions. Businesses may also seek to amend onerous provisions, such as the requirement that businesses disclose to consumers both categories of PI and “specific pieces” of PI collected about them. Separately, businesses should also monitor for any regulatory proposals by the California AG to implement the Act and be prepared to advocate accordingly.

Over the long term, businesses will need to assess the Act’s many obligations, mindful of the AG’s implementing regulations and any potential legislative “fixes” that may be enacted. While the Act will not be effective until January 1, 2020, the compliance process for many businesses will be a complex one that will require a significant investment of time and resources. For example, compliance with the right to deletion requirement will require, among other things, assessing whether an exception applies, identifying the various areas (both internally and externally at service providers) that data is stored, and creating new business processes to honor deletion requests. In some areas, business may find efficiencies in the steps required to develop a compliance plan. For example, identifying the various places where PI is stored will be relevant not only to the right to deletion but also to the right to receive a disclosure of the “specific pieces” of PI collected. Nonetheless, it is clear that the burden associated with compliance with the Act will far outweigh what many U.S. companies will have previously experienced.

[4] § 1798.140(o)(1). The term “household,” however, is not defined. Note that the initiative applied to consumers and devices rather than consumers and households. Strangely, the Act defines “device” (§ 1798.140(j)) but not “household.”

[6] The Act excludes from the definition of PI information that is publicly available. § 1798.140(o)(2). The Act notes that “publicly available” does not include aggregate consumer information or deidentified information. Id. It is unclear whether the drafters intended to exclude aggregate consumer information and deidentified information from the definition of PI. This potential drafting error represents yet another ambiguity in the scope of covered PI.

[8] § 1798.140(t)(1)(2). Note that the Act’s definition of “sale” is narrower than the initiative’s, which also included disclosing PI to a third party for the third party’s commercial purposes, regardless of whether the business received any consideration in return. Moreover, the Act adds a “service provider” exception to the definition of “sale.” § 1798.140(t)(2)(C). Because the Act defines sale as providing PI to both a business and third party, sharing PI with entities meeting the “service provider” and/or third party exception brings that disclosure outside the scope of a “sale” for both the purpose of a business’ disclosure obligations as well as consumers’ opt-out rights.

[15] The Act defines “third party” in the negative to mean a person (which includes a corporate entity (§ 1798.140(n))) other than the business or a person receiving PI pursuant to a contract that prohibits it from: (i) selling the PI; (ii) retaining, using, or disclosing the PI for purposes other than those specified in the contract; and (iii) retaining, using, or disclosing the PI outside the direct relationship between the business and entity, and who signs a certification stating the persons understand these restrictions and will comply with them. § 1798.140(w)(1)(2). This definition creates what amounts to a service provider exception for entities subject to these contractual and certification requirements. This impacts businesses’ disclosure obligations with respect to sales and disclosures for a business purpose, as well as consumers’ opt-out rights. Moreover, the Act limits a business’s liability for violations of the Act by persons covered by the third-party contractual/certification requirements. § 1798.140(w)(2)(B).

[32] § 1798.145(a)(6). Collecting PI “wholly outside of California” means (i) the business collected the PI while the consumer was outside California; (ii) no part of the sale of consumer’s PI occurred in California; and (iii) no PI collected while the consumer was in California is sold. Id.

[34] § 1798.145(c)-(f). These laws include the Confidentiality of Medical Information Act (CMIA), Health Insurance Portability and Availability Act (HIPAA), the Fair Credit Report Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) and the Driver’s Privacy Protection Act (DPPA). The exact scope of these exceptions is not clear. For example, the GLBA and DPPA exceptions generally would only apply to the extent that the Act “conflict[s]” with the federal standards. § 1798.145(e)-(f).

[35] The Act provides for statutory damages between $100 to $750, or actual damages, whichever is greater. § 1798.150(a)(1)(A). This is lower than the initiative’s $1,000 to $3,000 statutory damages.

[36] These include providing 30-day written notice before initiating an action for statutory damages as well as notifying the AG 30 days after filing suit for a business’s violation of a cure notice to allow the AG to either prosecute the action, decline to do so, or tell the consumer not to proceed. § 1798.150(b)(1)(2). No notice is required, however, is a consumer pursues actual damages. § 1798.150(b)(1).

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.